Using Open Source Tools to Build Privacy-Conscious Data Systems

Databricks
26 Jul 202319:52

Summary

TLDRIn this talk, a senior software engineer from Ethical AI discusses the complexities of data privacy compliance, highlighting the increasing number of global regulations. The speaker outlines the seven foundational principles of GDPR and emphasizes the importance of data subject requests, data mapping, and consent tracking. They introduce Fides, an open-source privacy platform, designed to automate compliance processes, cater to different personas, and ensure privacy throughout the software development lifecycle. Fides is praised for its comprehensive approach, addressing DSR processing, data mapping, user privacy interfaces, and compliance enforcement.

Takeaways

  • 🌐 Data privacy is becoming increasingly complex with over 30 countries and 6 U.S. states having passed privacy legislation, affecting how companies handle personal data.
  • πŸ“œ The GDPR's seven foundational principles serve as a model for many privacy laws, emphasizing the importance of compliance across different regions.
  • πŸ”‘ The 'triumvirate of compliance' for technology companies includes Data Subject Request (DSR) processing, Record of Processing Activities (RoPA), and Consent Tracking.
  • πŸ‘¨β€πŸ’» Manual processes for compliance are not scalable and can be costly, leading many organizations to seek automated solutions.
  • πŸ› οΈ Fides, an open-source privacy engineering platform, aims to address privacy compliance challenges by offering tools for automated DSR processing, data mapping, and consent management.
  • πŸ”— Fides is designed to cater to different personas within an organization, including software engineers, privacy engineers, compliance professionals, and security professionals.
  • πŸ’» The platform includes a CLI for developers, an API for configuration and execution, and a UI for privacy administration, providing a comprehensive approach to privacy management.
  • πŸ” Fides uses a language called Fides Lang to express privacy policies as code, allowing for evaluations against systems and data sets to ensure compliance.
  • 🌟 The Python Software Foundation has recognized Fides' value, contributing to its development and implementing it as part of their infrastructure.
  • πŸ”— Fides is not just a compliance tool but a holistic solution that covers the entire data lifecycle, from development to runtime, and includes user-facing privacy centers.

Q & A

  • What is the significance of the GDPR's seven foundational tenets in data privacy?

    -The GDPR's seven foundational tenets serve as a comprehensive framework for data protection and privacy. They outline the main requirements that organizations must adhere to in order to ensure compliance with data privacy laws, including principles like data minimization, purpose limitation, and the right to erasure.

  • How does the speaker describe the current state of data privacy regulations globally?

    -The speaker describes the current state of data privacy regulations as complex and growing, with over 30 countries having data protection laws, including the EU as a single entity, and six U.S. states having passed privacy legislation, with more in progress.

  • What does the speaker refer to as the 'triumvirate of compliance'?

    -The 'triumvirate of compliance' refers to three critical components that technology companies must address to ensure data privacy compliance: data subject request processing, record of processing activities (ROPA), and consent tracking.

  • Why are manual processes for handling data privacy not considered scalable according to the speaker?

    -Manual processes for handling data privacy are not scalable because they often rely on interns or data engineers performing repetitive tasks like running SQL queries, logging into APIs, and sending emails, which is both time-consuming and expensive.

  • What is the role of the 'Privacy Center' in the context of the Fides platform?

    -The 'Privacy Center' in the Fides platform is a user-facing interface that allows individuals to manage their privacy preferences, such as data access, data erasure, and consent management. It is a key component in how users interact with the platform from a privacy perspective.

  • How does Fides aim to help with the processing of Data Subject Requests (DSRs)?

    -Fides aims to help with the processing of Data Subject Requests (DSRs) by providing automated DSR processing capabilities, which can reduce the manual workload and improve the efficiency of handling such requests.

  • What is the significance of the 'fideslang' in the Fides platform?

    -The 'fideslang' is a YAML-based language used in the Fides platform to express privacy policies and metadata. It allows for the codification of privacy policies in a way that can be evaluated against the code and systems to ensure compliance.

  • How does the speaker suggest using Fides during the software development lifecycle?

    -The speaker suggests using Fides during the software development lifecycle by integrating it into the CI process, using it as a git hook, and employing its CLI for maintaining privacy at development time, which can help catch privacy failures before they reach production.

  • What is the importance of the Python Software Foundation's contribution to Fides mentioned in the script?

    -The Python Software Foundation's contribution to Fides is significant because it indicates the recognition of Fides by a major organization in the Python community. It also implies that Fides will be integrated into the Python Software Foundation's infrastructure, potentially increasing its adoption and use.

  • What are the different personas that Fides aims to cater to?

    -Fides aims to cater to different personas including software engineers, privacy engineers, compliance professionals, and potentially security professionals. It provides a CLI for development time privacy maintenance, an API for configuration and execution, and a UI for privacy administration during runtime.

Outlines

00:00

πŸ“œ Introduction to Data Privacy and Compliance

The speaker, a senior software engineer at Ethical, kicks off the final session of the day by addressing the audience's potential exhaustion but assures that the topic of data privacy and compliance is exciting. The talk will focus on modern privacy regulations, highlighting the complexity of data privacy laws across over 30 countries and six U.S. states, emphasizing the critical need for compliance. The speaker outlines the seven foundational tenets of GDPR, which serve as a basis for many privacy laws, and introduces the concept of the 'triumvirate of compliance' for technology companies: data subject request processing, record of processing activities (ROPA), and consent tracking. The talk aims to explore how open source tools can assist in maintaining compliance with these regulations.

05:02

πŸ› οΈ The Role of Engineers in Privacy Compliance

The speaker emphasizes the collective effort required for privacy compliance within a company, involving not just a compliance or privacy engineering team, but all teams, including software engineers. The importance of synergy among teams is stressed, as privacy compliance is not a task for a single group. The speaker introduces 'Fides', an open-source privacy as code platform, which aims to address the challenges of privacy compliance. Fides is pronounced after the Roman goddess of trust and is designed to be a comprehensive platform for building and maintaining privacy-respecting software throughout the software development lifecycle. The platform is built by privacy experts and is open-source, supported by a private company with a team of engineers and compliance experts. Fides caters to different personas within an organization, including software engineers, privacy engineers, compliance professionals, and security professionals, by providing a CLI for development time, an API for configuration and execution, and a UI for privacy administration during runtime.

10:04

πŸ” Demonstrating Fides with a Live Example

The speaker proceeds to a live demonstration of Fides, starting with the command line interface (CLI). The CLI allows for the deployment of a sample application that showcases the evaluation of privacy policies against code and the handling of user privacy requests. The speaker introduces 'Fides Lang', a language used to express privacy as code, which includes systems, data sets, and policies. These are the foundational elements for discussing privacy in a code-relevant manner. The demonstration includes pushing metadata files to a server, evaluating privacy policies, and showing how privacy breaches can be caught during development, preventing privacy issues from reaching production. The speaker also shows the user-facing privacy center, where users can manage their data access, erasure, and consent, emphasizing the importance of a dark pattern-free consent flow.

15:04

🌐 Holistic Privacy Compliance with Fides

The speaker summarizes the capabilities of Fides in maintaining privacy throughout the software development lifecycle and user interactions. Fides includes connectors to data sources, including third-party APIs, to handle data requests and ensure compliance. The speaker discusses the importance of handling data subject requests, consent tracking, and data mapping, which are often complex and require a holistic approach. Fides is presented as a solution that addresses these challenges by offering tools for DSR processing, data mapping, a user-facing privacy center, and enforcing compliance during development. The speaker acknowledges the difficulty of data compliance and the reality that many companies are either non-compliant or only partially compliant. Fides is positioned as a comprehensive, open-source solution supported by privacy experts, with recent contributions from the Python Software Foundation. The talk concludes with resources for learning more about Fides, including documentation, GitHub repositories, and a podcast episode featuring the speaker.

Mindmap

Keywords

πŸ’‘Data Privacy

Data privacy refers to the practices and policies that protect personal information from unauthorized access, use, or disclosure. It is a fundamental aspect of modern data protection laws and is central to the video's theme. The speaker discusses the increasing complexity of data privacy regulations globally and how they impact organizations. For instance, the speaker mentions the General Data Protection Regulation (GDPR), which has seven foundational principles that guide data privacy compliance.

πŸ’‘Compliance

Compliance in the context of the video refers to an organization's adherence to legal and regulatory requirements, particularly those related to data privacy. The video emphasizes the importance of compliance with data protection laws, which are becoming more complex and numerous. Compliance is achieved through various mechanisms, including data subject request processing, data mapping, and consent tracking, as highlighted by the speaker.

πŸ’‘Data Subject Request (DSR)

A Data Subject Request is a request made by an individual to a company to access, correct, or delete their personal data. The video discusses how DSRs are a critical component of data privacy compliance. The speaker mentions the 'right to be forgotten' and 'right to erasure' as examples of DSRs, which companies must be able to process efficiently to maintain compliance.

πŸ’‘Data Mapping

Data mapping is the process of documenting and visualizing the flow of data through an organization's systems. It is essential for understanding where data resides and how it is used, which is crucial for compliance with data privacy laws. The video mentions data mapping as a part of the 'triumvirate of compliance' and discusses the need for automated tools to facilitate this process.

πŸ’‘Consent Tracking

Consent tracking involves monitoring and recording an individual's consent to the use of their personal data. The video discusses how websites often require users to consent to data usage, and companies must track this consent throughout the data's lifecycle. The speaker highlights the importance of having a 'dark pattern free consent flow' to ensure users' wishes are respected.

πŸ’‘GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation that aims to strengthen and unify data protection for individuals within the EU. The video uses GDPR as an example of the type of data privacy laws that organizations must comply with. The speaker outlines the seven foundational principles of GDPR, which serve as a model for many other privacy laws around the world.

πŸ’‘Open Source Tools

Open source tools are software applications whose source code is available to the public, allowing for collaborative development and modification. The video discusses the use of open source tools to help organizations stay compliant with data privacy regulations. The speaker introduces 'Fides', an open source privacy engineering platform, as a solution to automate and streamline compliance processes.

πŸ’‘Fides

Fides is an open-source privacy engineering platform introduced in the video. It is designed to help organizations build and maintain privacy-respecting software by covering the entire software development lifecycle. The speaker explains how Fides can automate DSR processing, data mapping, and consent management, aiming to simplify the complex task of data privacy compliance.

πŸ’‘Privacy as Code

Privacy as Code is the concept of encoding privacy policies and regulations into machine-readable formats that can be integrated into software development processes. The video introduces 'Fides Lang', a language used within the Fides platform to express privacy policies in a way that can be evaluated against code and systems. This approach allows for automated compliance checks and is a key feature of the Fides platform.

πŸ’‘Data Lifecycle

The data lifecycle refers to the series of stages that data goes through from creation to deletion. In the context of the video, managing data privacy across the entire data lifecycle is crucial for compliance. The speaker discusses how tools like Fides can help organizations track and manage data through its lifecycle, ensuring that privacy regulations are followed from the point of data collection to data disposal.

πŸ’‘Global Privacy Control (GPC)

Global Privacy Control (GPC) is a browser setting that allows users to express their privacy preferences, such as opting out of data sales and sharing. The video mentions GPC in the context of a user interface where users can manage their privacy settings. The speaker demonstrates how the Fides platform can detect GPC settings and adjust the user's privacy experience accordingly, reflecting the platform's responsiveness to user consent.

Highlights

Introduction to the importance of data privacy and compliance in modern software engineering.

Discussion on the increasing complexity of data privacy with over 30 countries having data protection laws.

Mention of six U.S states with privacy legislation and the trend towards more states adopting similar laws.

Overview of the seven foundational tenets of GDPR as a basis for many privacy laws.

The 'triumvirate of compliance' comprising data subject request processing, data mapping, and consent tracking.

Challenges faced by companies in complying with privacy laws, including reliance on manual processes and the cost of non-compliance.

The need for a holistic approach to compliance that covers the entire data lifecycle.

Introduction to Fides, an open-source privacy engineering platform designed to address compliance challenges.

Fides' support for different personas including software engineers, privacy engineers, and compliance professionals.

Demonstration of Fides' CLI for pushing privacy metadata files to a centralized server.

Explanation of Fides' privacy policy evaluation process to ensure code compliance with privacy policies.

Showcase of Fides' user-facing privacy center for managing data access, erasure, and consent.

Discussion on how Fides helps maintain privacy during the software development lifecycle.

The integration of Fides with the Python Software Foundation and its use in pip infrastructure.

Summary of Fides' comprehensive solution for DSR processing, data mapping, user privacy centers, and development-time compliance enforcement.

Promotion of resources for learning more about Fides, including documentation, GitHub repositories, and a podcast episode.

Transcripts

play00:00

foreign

play00:04

[Music]

play00:11

I'm a senior software engineer at ethica

play00:14

thank you for being here on the final

play00:17

session of the first day I'm sure you're

play00:18

all exhausted

play00:20

but we're going to talk about the most

play00:21

exciting thing which is data privacy

play00:23

compliance

play00:26

so really quick we're going to speed run

play00:29

modern privacy regulations that's going

play00:31

to give us kind of a nice set stage for

play00:34

when we talk about

play00:35

how open source tools can help you stay

play00:38

compliant

play00:40

so really quick there are 30 plus

play00:42

countries across the world and that is

play00:45

actually including the EU as a single

play00:47

entity so we're looking at what almost

play00:49

60 countries with data protection laws

play00:51

six U.S states have already passed

play00:53

privacy legislation you'll probably know

play00:54

CCPA in California Florida has their own

play00:57

Texas past their own and there are 20

play00:59

more states on the way so data privacy

play01:02

is getting more complex by the day there

play01:05

are all these different rules for all

play01:07

these different places and it's becoming

play01:09

more and more critical to stay on top of

play01:10

things

play01:13

so generally what do these laws require

play01:15

these are kind of the seven foundational

play01:18

tenets of gdpr I'm not going to go into

play01:20

each one but this is what's listed on

play01:23

their website is kind of the main things

play01:24

to remember and even though not all

play01:27

privacy laws are exactly this

play01:30

um they're pretty similar it was kind of

play01:31

a uh we're going to copy your homework

play01:33

but like change a little bit situation

play01:35

um where they're all generally similar

play01:37

to this but with a few changes here and

play01:39

there

play01:40

practically for engineers for technology

play01:44

companies this comes down to what I call

play01:46

the triumvirate of compliance so how do

play01:48

we stay compliant with generally what

play01:50

those seven tenants require so number

play01:53

one is going to be data subject request

play01:55

processing it's going to be DSR from

play01:57

here on out so you've probably heard of

play01:59

like the right to be forgotten the right

play02:01

to Erasure you've got the right to

play02:03

access so being able to see what data a

play02:07

company has about you second is a ropa

play02:09

that's like the legalese record of

play02:12

processing activities some people call

play02:13

it the data map you need to be able to

play02:16

to tell The Regulators every year

play02:19

what are you doing with whose data and

play02:22

what is your what is your legal grounds

play02:24

for doing so you have to be able to

play02:25

explain this to regulators and then

play02:27

finally we have consent tracking I'm

play02:29

sure you all remember a few years ago

play02:31

the internet got even more annoying

play02:33

because every website you go to now has

play02:35

a pop-up and you have to click a thing

play02:37

that says okay you can use my data no I

play02:39

don't use my data

play02:41

um and you need to actually track that

play02:42

so when when a user comes to your

play02:45

website

play02:46

they're now generating data they're

play02:47

probably storing and you actually need

play02:49

to

play02:50

respect their wishes in terms of consent

play02:52

all throughout the life cycle of the

play02:54

data

play02:57

so organizations in some cases are

play03:00

trying to to comply with all these

play03:01

things and from what we've seen a lot of

play03:04

companies are relying on manual

play03:06

processes so this basically just ends up

play03:08

being a bunch of interns or a bunch of

play03:11

data Engineers running SQL queries they

play03:14

are logging into apis they're sending

play03:16

emails manually and it's not scalable it

play03:20

gets really expensive

play03:21

and there's no one to make coffee

play03:23

because the the interns are all busy

play03:25

handling data subject requests

play03:28

next you have some companies are just

play03:29

kind of

play03:31

accepting that it's too complex and it's

play03:34

too expensive and they're just going to

play03:36

say okay we're going to be out of

play03:37

compliance we know that it's a risk but

play03:39

it's a risk we're going to take because

play03:40

the

play03:41

the alternative is just too difficult

play03:43

and then finally there are vendors

play03:46

there are people out there buying their

play03:47

Solutions and adopting them but again

play03:49

to be truly compliant you have to cover

play03:52

data throughout the entire lifestyle

play03:53

life cycle so it's not just our data

play03:55

warehouse is covered so we're good there

play03:57

or it's not just okay we have a cookie

play03:59

consent Banner on our web page

play04:01

everything needs to be working together

play04:03

the data subject requests need to get

play04:05

processed against the data warehouse and

play04:08

the application database so it's a lot

play04:10

more complex than just usually a single

play04:12

solution can provide

play04:15

so to sum up

play04:17

an ideal way to solve this problem is to

play04:20

have a single tool that can do automated

play04:21

DSR processing right so

play04:24

give the interns a break there's not

play04:25

enough of them on Earth to handle all

play04:27

these requests

play04:28

automated data mapping so some kind of

play04:31

tool that can go and figure out where

play04:33

your data lives what it's doing there

play04:37

why it's being used

play04:39

Etc and then finally a dark pattern for

play04:42

you that's very specific because people

play04:43

are actually getting caught on this a

play04:44

dark pattern free consent flow so people

play04:46

need to be able to visit your website

play04:48

they need to be able to give consent and

play04:49

that needs to be stored and used later

play04:50

when processing dsrs

play04:53

Etc

play04:55

so this is the ideal state right so

play04:57

we've got software engineers and privacy

play04:59

professionals working together

play05:01

to achieve privacy compliance because

play05:03

just like security it's not something

play05:05

that a single team or a single group of

play05:08

people can solve within a company you

play05:11

have potentially a compliance team or

play05:14

privacy engineering team and they're

play05:16

there to set guidelines and they're

play05:18

there to make recommendations and work

play05:19

with people but they need the Synergy of

play05:22

all the other teams to really make this

play05:24

work and that's why it's really

play05:25

important that a tool also includes

play05:27

software Engineers as part of that

play05:29

because ultimately we're the ones

play05:31

building the software or data Engineers

play05:33

we're the ones building the software

play05:34

that's using this data and we know it

play05:36

better than a privacy engineer is going

play05:38

to know it

play05:41

okay so we're going to enter fides which

play05:44

is the open source privacy is code

play05:45

platform that we're going to talk about

play05:46

today that's aiming to solve some of

play05:48

these problems

play05:50

all these problems in fact

play05:52

so what is it first off it's pronounced

play05:55

fides and it's from the goddess of trust

play05:58

and Roman mythology our company name as

play06:01

well ethica

play06:02

earlier I called it a triumvirate a lot

play06:04

of Greco-Roman themes going on here

play06:06

and it's a platform an entire platform

play06:09

not just like a single application it's

play06:10

a platform for building and maintaining

play06:12

privacy inspecting software

play06:15

um that means it's going to cover

play06:17

the software development lifelike life

play06:19

cycle itself so from the the engineering

play06:21

stage due to the CI stage all the way

play06:24

into runtime runtime applications

play06:27

it's built by privacy experts so it is

play06:29

fully open source but it's being backed

play06:32

by a private company full of Engineers

play06:34

and compliance experts who understand

play06:37

this kind of stuff because it is really

play06:38

complicated and then finally

play06:41

as I had mentioned earlier you have to

play06:43

be able to cater to different personas

play06:45

you need to have software Engineers

play06:47

working with privacy Engineers working

play06:49

with compliance professionals

play06:51

potentially even then working with

play06:52

Security Professionals

play06:54

so we have a CLI for maintaining privacy

play06:56

at development time we have an API for

play06:58

configuration and execution and then we

play07:01

have a UI for privacy Administration

play07:03

during run time so we're catering to all

play07:05

these different personas in a single

play07:06

application single platform

play07:09

now we're going to hop into a demo

play07:23

so here we've got the fetus command line

play07:25

spun up

play07:27

um

play07:27

it is in Python so it's pip and soluble

play07:29

if you want to as well you can use it

play07:31

via Docker container

play07:33

so

play07:34

anytime you pip install fetas you're

play07:36

going to get this handy command that'll

play07:39

give you a good idea

play07:41

of what feta is capable of so if he does

play07:43

deploy up it's going to require that you

play07:45

have Docker compose installed as well

play07:47

and then what it's going to do is it's

play07:48

going to spin up

play07:50

an entire sample application that's

play07:52

going to show you the flow of evaluating

play07:55

your privacy policies against your code

play07:57

as well as what happens when a user

play07:59

wants to submit a privacy request

play08:02

real quick I'll show you

play08:05

what that looks like

play08:07

so in these yaml files this is kind of a

play08:10

thing we call feed as Lang

play08:13

and this is the foundation of feed as

play08:15

this is

play08:16

expressing

play08:18

privacy as code

play08:21

so we have systems we have things like

play08:23

data sets we've created all of these

play08:26

kind of prerequisite

play08:29

Primitives that you need to be able to

play08:31

talk about privacy in a way that's

play08:33

applicable to code

play08:35

and then scalable is metadata

play08:39

so here we have systems that can be a

play08:41

micro service that can be a specific

play08:43

functionality within a microservice we

play08:46

have data sets

play08:48

so okay our red is cache we need to know

play08:50

what data is stored in there because

play08:51

there might be pii in our application

play08:53

database

play08:58

we need to know everything that's in

play08:59

there

play09:01

we need to know what types of data is in

play09:02

there

play09:04

and then we have our policies so this is

play09:06

basically a privacy policy codified in

play09:09

feed as Lang that we're going to be able

play09:10

to run evaluations against

play09:18

so when you run feed as deploy up you're

play09:20

going to get greeted by this nice web

play09:22

page that opens locally

play09:24

so the few different things we can play

play09:26

around with first I'm going to jump into

play09:29

the CLI demo

play09:37

so when you run feed as push which is a

play09:39

CLI command it's going to take all of

play09:41

those yaml metadata files that I showed

play09:42

you before and it's going to push them

play09:44

up to the server this is pretty closely

play09:47

based off of like Cube cuddle Cube CTL

play09:49

whatever you might want to call it it's

play09:51

meant to be a very familiar interface

play09:52

where you've

play09:54

created everything as yaml files locally

play09:56

and then it's getting pushed and stored

play09:58

in a centralized server

play10:00

so now if I do a feed as evaluate

play10:03

it's going to take that codified privacy

play10:05

policy that I showed earlier

play10:07

and it's going to

play10:09

check everything that I've declared and

play10:11

my systems and my data sets and make

play10:13

sure that I'm not breaching that policy

play10:14

in any way

play10:16

I can come back over here

play10:21

and

play10:24

I've added this privacy declaration in

play10:26

here so that's saying I've added some

play10:28

kind of functionality to my system

play10:30

I've come in here and I've added it as

play10:33

an additional privacy Decker saying okay

play10:34

I'm also using this data for this reason

play10:37

with this data subject in this qualifier

play10:41

so if I do that

play10:43

we now have something that breaches our

play10:45

privacy policy and the evaluation is

play10:47

going to come up as a fail and you're

play10:49

going to see what that looks like

play10:52

so this is something that would run in

play10:53

Ci or it could even run as a git hook

play10:56

before the developer pushes and this

play10:58

basically means that you can catch

play11:00

privacy failures before they even

play11:03

get to production right because again

play11:05

just like with security if the security

play11:07

flaw makes it into production it's still

play11:10

an incident right you haven't you

play11:12

haven't truly stopped it from happening

play11:14

so the first kind of protection here is

play11:17

fetus will help you at development time

play11:19

avoid some of these some of these issues

play11:23

what happens after you deploy your

play11:25

application though right so I'm going to

play11:27

come we have a a nice

play11:29

we have a nice sample application here

play11:31

cookie house so say I'm a user uh it's

play11:33

my cheat day we're not counting calories

play11:34

so I'm just going to come over here I'm

play11:37

going to buy the triple pack

play11:51

okay so now we're gonna buy some cookies

play11:54

awesome

play11:56

so we've got this privacy Center down

play11:58

here this is something that gets

play12:00

deployed along with your code and this

play12:03

is the key way in which your users are

play12:06

going to interact with fides from a

play12:08

privacy perspective

play12:10

so they come here even though this is

play12:13

themed like the website we were just

play12:14

using this is actually something you

play12:16

would deploy from

play12:18

from fides

play12:19

so we can do our data access we can do

play12:21

our data Erasure we can also manage our

play12:23

consent

play12:24

so I can come over here to manage

play12:26

consent

play12:29

I can give him my email right so that's

play12:30

my primary identifier that's how the

play12:32

system knows who I am because I made my

play12:34

order with that email that ID and now

play12:37

okay because I'm using this browser it's

play12:39

detecting Global privacy control

play12:42

it's automatically opted me out of data

play12:45

sales and uh sales and sharing email

play12:47

marketing for product analytics is okay

play12:49

that's perfect because that's what I've

play12:50

set my browser to allow

play12:54

now I'll come in here and do a an access

play12:56

request so I ordered my cookies they

play12:58

were delicious but now I'm kind of

play13:00

curious what this company has on me

play13:07

okay so this is what we call the admin

play13:09

UI this is where the compliance team the

play13:12

Privacy professionals potentially the

play13:13

Privacy Engineers would come to interact

play13:15

with the system

play13:17

so what's nice is that the the engineers

play13:19

are interacting with fetas in a very

play13:22

engineering type way right they're using

play13:23

the CLI they're writing yaml files

play13:25

that's something that Engineers just are

play13:28

inherently used to doing these days

play13:30

and so they don't really feel any extra

play13:32

friction when they do those things yes

play13:33

it's extra steps but it's not like

play13:34

they're having to go learn a new tool

play13:36

that they're completely unfamiliar with

play13:38

likewise we're not forcing compliance

play13:41

professionals lawyers or privacy

play13:43

Engineers to go and learn to use a CLI

play13:45

or to go and learn to write yaml files

play13:46

they're able to come in here and use the

play13:48

UI something that should already be

play13:49

familiar with

play13:51

to to then ingest that information

play13:54

so I'm going to just toggle this okay so

play13:57

I can see as you just saw I submitted an

play13:59

access request

play14:01

it's going to show up here in the

play14:02

Privacy Center

play14:04

I can approve it

play14:07

and then in production depending on what

play14:09

you've set up usually it's S3 that would

play14:12

actually go to an S3 bucket the user

play14:14

would be sent to link and then be able

play14:15

to download it

play14:17

additionally over here in data mapping

play14:18

we have a view of all of our systems

play14:21

because again we've defined everything

play14:23

as metadata and now we're able to say

play14:26

hey

play14:27

we know these are our systems we know

play14:29

what the uses are

play14:31

and we can then drill in and see exactly

play14:35

exactly what's going on there

play14:38

so this is really important for anyone

play14:40

that's had to do any kind of auditing

play14:41

around privacy we have everything in

play14:43

here that you need to be compliant

play14:51

okay so that's fit is in a nutshell

play14:53

that's covering

play14:54

how we maintain privacy during the

play14:56

software development life cycle and then

play14:58

that's maintaining

play15:00

how users interact with fetas and how

play15:02

that eventually gets back to your admin

play15:03

UI where you can then do those erasures

play15:06

do those access requests and maintain

play15:08

that user's privacy throughout the

play15:09

entire application including the data

play15:11

warehouse so we have connectors

play15:14

that can talk to your data source and

play15:17

that includes third-party apis as well

play15:19

because that also falls under it

play15:22

um so like under Connection Manager you

play15:24

can see so this sample application has a

play15:25

database and has a postgres

play15:27

database and we're connected to both of

play15:29

those and we're able to go find that

play15:31

Thomas ethica.com and remove it or grab

play15:34

it from all those places and we

play15:35

understand

play15:36

the execution graph of how that should

play15:38

be run

play15:42

because for instance if you're if you're

play15:43

running

play15:44

in Erasure you don't want to

play15:47

mess up a foreign key relationship or

play15:49

anything of that nature so again we're

play15:50

actually building a graph and

play15:51

understanding what order we should

play15:53

execute everything in to make sure we

play15:54

don't mess things up

play15:58

so quick summary

play16:00

data compliance is really really hard

play16:03

and it's not a simple or a solved

play16:05

problem

play16:07

maybe some people sending the audience

play16:08

right now have just come to the

play16:10

realization that they're probably not

play16:11

compliant uh don't worry that's that's

play16:13

normal

play16:15

it's really difficult

play16:17

um because you need to handle the DSR

play16:18

processing you need to handle the

play16:20

consent tracking you need to handle data

play16:22

mapping and potentially more things

play16:24

right as as more regulation is added and

play16:27

is there even slightly different

play16:28

depending on each spot something I

play16:30

didn't even get into was

play16:32

you also need to look at

play16:34

geography when doing some of these

play16:36

things so for instance if you are in

play16:40

California and you go to that privacy uh

play16:42

you know consent Center that I just

play16:44

showed you you're going to have a

play16:45

different experience than if you're in a

play16:47

different state or you're in Europe

play16:48

because we actually tailor it to each

play16:49

geographic location that's important

play16:52

and again I think most companies

play16:54

actually

play16:55

are solving this by simply being

play16:57

non-compliant and just hoping they can

play17:00

wing it or get away with it or not get

play17:02

caught so a lot of people that come to

play17:04

us and want help implementing fetas are

play17:06

companies that are just not compliant

play17:08

we're not replacing some kind of

play17:09

existing solution they're just not

play17:10

compliant in the first place

play17:13

and additionally the ones that do come

play17:15

to us that already have some kind of

play17:17

data data compliance tool it's not

play17:19

holistic right because there are some

play17:21

really fantastic tools for say okay

play17:23

let's do data governance and lineage

play17:26

throughout our data warehouse but okay

play17:28

what about the application database or

play17:30

what about when a user visits your

play17:31

website how are you recording what their

play17:32

consent is and then

play17:34

tying that through your entire your

play17:36

entire day to life cycle

play17:38

which is more than just a data warehouse

play17:41

well lucky for you all if he does does

play17:44

it does it all and you're welcome no

play17:47

we're we're always working on it we're

play17:49

always trying to evolve it uh

play17:51

but again that's that's kind of the

play17:53

benefit of fidez is you get privacy

play17:56

experts right we do this day in and day

play17:58

out building this fully open source

play17:59

project

play18:02

um recently actually the the python

play18:03

software Foundation uh contributed to

play18:06

fetus and is now

play18:08

implementing fidez as part of all of the

play18:11

infrastructure the python software

play18:13

foundation so in the near future even

play18:15

using something like pip will actually

play18:17

be

play18:18

talking to fidas in the background which

play18:20

has been really exciting for us

play18:23

and in summation

play18:25

why fetus does it all is because we have

play18:27

a solution for the dsrs the data mapping

play18:30

user-facing privacy Center

play18:32

and enforcing compliance and development

play18:34

time

play18:37

quick appendix

play18:39

for any links so first docs.ethica.com

play18:43

you can go there to learn all about

play18:45

fidas anything else you might want to

play18:47

know we have a lot of tutorials on there

play18:49

if you want to play around with the demo

play18:52

that I did the fedes deploy up it will

play18:54

have instructions on that as well it's

play18:56

just a pip install ethica fetus we also

play18:59

have links to fidas and fideslang on

play19:01

GitHub get both of those completely open

play19:03

source contributions welcome we interact

play19:06

with the community quite a bit and then

play19:08

finally for some

play19:10

I guess self-promotion I was recently on

play19:13

an episode of The Talk python to Me

play19:15

podcast episode 409 and if you just want

play19:18

to hear me talk about data I'd be

play19:20

flattered you can go listen to that we

play19:24

get into you know a lot more than just

play19:25

feed as we talk about data privacy as a

play19:27

whole compliance and how it affects us

play19:29

as software engineers and innovators and

play19:31

entrepreneurs

play19:35

so that's all I have for everyone thank

play19:37

you

play19:41

foreign

play19:42

[Music]

Browse More Related Video

How to Implement GDPR Part 2 :Roadmap for Implementation

GDPR Compliance Journey - 08 Privacy Notice

Your Personal Data Inventory Top Tips & Brexit Impact 161220

GDPR and Data Mapping

Data inventarization according to GDPR

GDPR Compliance Journey - 11 Rights

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Data PrivacyComplianceOpen SourceSoftware EngineeringGDPRData MappingConsent TrackingData ProtectionPrivacy RegulationsFides